add: Support LUKS encryption using IBM CEX secure keys on s390x #536
Conversation
docs/config-fcos-v1_6-exp.md
Outdated
| @@ -219,6 +221,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s | |||
| * **_tpm2_** (boolean): whether or not to use a tpm2 device. | |||
| * **_threshold_** (integer): sets the minimum number of pieces required to decrypt the device. Default is 1. | |||
| * **_discard_** (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false. | |||
| * **_enabled_** (boolean): UnSupported | |||
docs/config-flatcar-v1_2-exp.md
Outdated
| * **_cex_** (object): describes the IBM Crypto Express (CEX) card configuration for the luks device. | ||
| * **_enabled_** (boolean): whether or not to use a CEX secure key to encrypt the luks device. |
There was a problem hiding this comment.
If it needs changes outside of Ignition and Butane then we should reach out to them before we add it here.
There was a problem hiding this comment.
Hi @travier , Could you help here how can i get rid of this from flatcar? It was auto generated.
There was a problem hiding this comment.
Probably something like: https://github.com/madhu-pillai/butane/blob/test_cex/internal/doc/butane.yaml#L49..L60
There was a problem hiding this comment.
Ah, no, looks like it's just for a substring.
There was a problem hiding this comment.
Hi @travier,
What i found is flatcar has luks feature too where it generates the document from the ignition/v2/config/doc. The flatcar schema is configured to obtain config from base/v0_6_exp . For the cex feature i've added the cex.enabled in the base/v0_6_exp. Adding conditions in the butane.yaml does not make any changes, as the docs get pulled according to the ignition/v2/config/doc.
There was a problem hiding this comment.
It looks like there are field filters that can be used to ensure that trying to use some base Ignition fields result in errors on some variants. See e.g.
butane/config/openshift/v4_17_exp/translate.go
Lines 62 to 109 in d26d803
But also, since most of the enablement work was done in Ignition and Flatcar does support Clevis at least, CEX encryption also should mostly work in Flatcar. So they might be interested in testing it as well and if it works, remove the field filters in a follow up (cc @tormath1).
There was a problem hiding this comment.
Thanks for the heads-up. For what is worth, I never heard about someone running Flatcar on IBM and we don't even provide IBM images with ibmcloud OEM id.
So yeah, I guess we can go ahead with a filter, similar to what we have done with Clevis before adding support on Flatcar: a8c311b
internal/doc/butane.yaml
Outdated
| - name: enabled | ||
| desc: whether or not to use a cex device. | ||
| transforms: | ||
| - regex: ".*" | ||
| replacement: "UnSupported" | ||
| if: | ||
| - variant: fcos | ||
| min: 1.6.0-experimental | ||
| - variant: openshift | ||
| min: 4.16.0-experimental |
There was a problem hiding this comment.
This was a hack for the GRUB support. Ideally we don't need this.
There was a problem hiding this comment.
Will remove the transforms
|
Hi @travier , |
config/fcos/v1_6_exp/schema.go
Outdated
| @@ -33,6 +33,7 @@ type BootDevice struct { | |||
| type BootDeviceLuks struct { | |||
| Discard *bool `yaml:"discard"` | |||
| Device *string `yaml:"device"` | |||
| Enabled *bool `yaml:"enabled"` | |||
There was a problem hiding this comment.
Shouldn't this field be named cex? Enabled is ambiguous here.
There was a problem hiding this comment.
There were few s390x specific parameter that can be selected under cex type. But later those parameter added as default and hardcoded in the ignition and decided that we can add in future if there is a requirement eg CIPHER. That's why the cex.enabled. The types is added under v0_6_exp as cex.enabled.
madhu@Madhus-MacBook-Pro arm64 % ./butane test.bu -o test.ign --pretty
madhu@Madhus-MacBook-Pro arm64 % cat test.bu
variant: fcos
version: 1.6.0-experimental
boot_device:
layout: s390x-zfcp
luks:
device: /dev/sda
enabled: true
madhu@Madhus-MacBook-Pro arm64 % cat test.ign
{
"ignition": {
"version": "3.5.0-experimental"
},
"storage": {
"filesystems": [
{
"device": "/dev/mapper/root",
"format": "xfs",
"label": "root",
"wipeFilesystem": true
}
],
"luks": [
{
"cex": {
"enabled": true
},
"device": "/dev/sda4",
"label": "luks-root",
"name": "root",
"wipeVolume": true
}
]
}
}
There was a problem hiding this comment.
Why is this not cex.enabled like in the 0.6-exp scema?
There was a problem hiding this comment.
Okay, I thought the boot-device sugar we only need enabled because it works only with s390x and looks short. Let me try same in fcos too.
|
Hi @travier , |
|
| - name: cex | ||
| desc: whether or not to use cex device. | ||
| children: | ||
| - name: enabled |
There was a problem hiding this comment.
HI @travier , Oh, My Bad, I verified only from the docs side. Now i've added the description.
config/common/errors.go
Outdated
| @@ -59,6 +59,7 @@ var ( | |||
| ErrNoLuksBootDevice = errors.New("device is required for layouts: s390x-eckd, s390x-zfcp") | |||
| ErrMirrorNotSupport = errors.New("mirroring not supported on layouts: s390x-eckd, s390x-zfcp, s390x-virt") | |||
| ErrLuksBootDeviceBadName = errors.New("device name must start with /dev/dasd on s390x-eckd layout or /dev/sd on s390x-zfcp layout") | |||
| ErrCexUnSupportArch = errors.New("cex does not supported architectures other than s390x") | |||
There was a problem hiding this comment.
Hmm, lets try
ErrCexArchitectureMissmatch
"when using cex the targeted architecture must match s390x"
| @@ -114,7 +114,7 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio | |||
| var r report.Report | |||
|
|
|||
| // check for high-level features | |||
| wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0 | |||
| wantLuks := util.IsTrue(c.BootDevice.Luks.Tpm2) || len(c.BootDevice.Luks.Tang) > 0 || util.IsTrue(c.BootDevice.Luks.Cex.Enabled) | |||
There was a problem hiding this comment.
This is getting long, not sure if there is anything to do to fix this.. but yeah.
There was a problem hiding this comment.
Added this feature similar to the other two luks method.
| layout: s390x-eckd | ||
| luks: | ||
| device: /dev/dasda | ||
| cex: |
There was a problem hiding this comment.
So we have a 3d object, with only two dementions ? (on and off)
Are there plans for adding other fields to the cex object?
if not we can we make it 2d? i.e cex: bool
There was a problem hiding this comment.
There were few s390x specific parameter that can be selected under cex type. But later those parameter added as default and hardcoded in the ignition and decided that we can add in future if there is a requirement eg CIPHER. That's why the cex.enabled.
There was a problem hiding this comment.
Ah, ok, nothing to push on if everyone else is okay with it.
|
Hi @prestist , |
config/common/errors.go
Outdated
| @@ -59,6 +59,8 @@ var ( | |||
| ErrNoLuksBootDevice = errors.New("device is required for layouts: s390x-eckd, s390x-zfcp") | |||
| ErrMirrorNotSupport = errors.New("mirroring not supported on layouts: s390x-eckd, s390x-zfcp, s390x-virt") | |||
| ErrLuksBootDeviceBadName = errors.New("device name must start with /dev/dasd on s390x-eckd layout or /dev/sd on s390x-zfcp layout") | |||
| ErrCexArchitectureMismatch = errors.New("when using cex the targeted architecture must match s390x") | |||
| ErrUnSupportedHardware = errors.New("the hardware is not supported") | |||
There was a problem hiding this comment.
Since we are adding this error for cex I expect it to have some indication that its related to it. Also I might have used the wrong verbiage before I am sorry about that.
Wdyt
ErrCexNotSupported: "cex is not currently supported on the target platform"
There was a problem hiding this comment.
@madhu-pillai have you had a chance to update this error name?
There was a problem hiding this comment.
@prestist , Oops sorry, I thought we need to hold till the ignition get stablized. Done
There was a problem hiding this comment.
No worries; I think here were talks about keeping this in "experimental" so stabilization happing first would make sense.
| layout: s390x-eckd | ||
| luks: | ||
| device: /dev/dasda | ||
| cex: |
There was a problem hiding this comment.
Ah, ok, nothing to push on if everyone else is okay with it.
Bumps [github.com/coreos/ignition/v2](https://github.com/coreos/ignition) from 2.18.0 to 2.19.0. - [Release notes](https://github.com/coreos/ignition/releases) - [Changelog](https://github.com/coreos/ignition/blob/main/docs/release-notes.md) - [Commits](coreos/ignition@v2.18.0...v2.19.0) --- updated-dependencies: - dependency-name: github.com/coreos/ignition/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Docs rephrase in luks.cex.enabled description. coreos/butane#536 (comment)
Docs rephrase in luks.cex.enabled description. coreos/butane#536 (comment)
Added the feature of IBM CEX card based LUKS encryption. Kindly review..